Preface: This vulnerability disclosed one year ago. Perhaps the details of defect you require to know.

Background: Shibboleth is a web-based Single Sign-On infrastructure. It is based on SAML. Shibboleth does not carry out authentication itself. SAML (Security Assertion Mark-up Language) is an umbrella standard that covers federation, identity management and single sign-on (SSO).

Vulnerability details:

The Shibboleth Identity Provider supports a number of login flows that rely on servlets or JSP pages to operate, including External, RemoteUser, X509, and SPNEGO. These flows are vulnerable to a denial of service attack by a remote, unauthenticated attacker, via Java heap exhaustion due to the creation of objects in the Java Servlet container session.

Causes: The use of expressions like “new someclass()” in the webflows, e.g. in the ExternalAuthentication flows, is a denial of service vector for remote attackers because of memory exhaustion if the objects are stored anywhere that isn’t associated with the webflow conversations. The conversations are capped at 5 apparently, and get swapped out for new ones, but storing anything the container session would not be freed and would accumulate.

Remark: Java Heap space is used by java runtime to allocate memory to Objects and JRE classes. Whenever we create an object, it’s always created in the Heap space.

Official announcement: https://shibboleth.net/community/advisories/secadv_20191002.txt